O/T: internet security question (leaked details)

Yes, I use a simple 'algorithm' to generate passwords for "don't care" web sites that require a password. This is mostly for places that I buy on-line but *don't* save any credit card details or club and forum sites. I really don't care that much if someone breaks into my account, all they could do is impersonate me on the forum (so what?) and see what I have bought from some supplier or other.

Where I have credit card details or other similarly sensitive information I use much stronger passwords, though as far as possible I don't allow sites to save credit card details.

So if someone nicks your computer they get access?!

I think you have already had to log in and 2FA is an added layer for future transaction.

Fortunately there are nearly always those who set themselves up as an easy target to divert the risk away from others.

That's an ad for 1Password, which is a password manager. Have I Been Pwned is a separate thing and has a 'notify me' function which will mail you if your email or domain shows up in other breaches. It's free, and the link is at the top of the screen.

Theo

account

Or use a "formula" to generate passwords unique to each site. Based say on part of the company name. Load of things you can do to make the password pretty secure, Upper/lowercase given character position(s), letter/number substitute, both either as an inposition substitution or an insert before or after the position. Pre/app-pend and short string (containing symbols, numbers, upper/lowercase).

Even if you forget what a password is for a site you can work it out by applying your formula. The only slight gotcha is those sites that object to symbols in a passord.

Bits of paper work... One would also assume that the information is also obscurated and not a simple plain text " " list and also contains old, invalid, information or even completely bogus information.

Assuming the device with your passwords on hasn't also been nicked or even simply died. Lightning strike, power surge? Just as likely as a tea leaf taking the bit's of paper. You can't even have a go at trying to workout what any passwords are.

Ever heard of backups?

out of context>

Okay, it's an attempt to con then, not a con. It is quite clear they are trying to induce you into clicking 'Start using 1Password.com'.

Personally I don't trust McCaffee as far as I can throw it but YMMV. Their main claim to fame seems to be large corporate discounts.

Although a keylogger on your home PC cannot be ruled out. Malwarebytes is a pretty reliable zapper for such things.

We also don't know the integrity of the password used.

If it was Pa55w0rd or qwerty or in any dictionary then all bets are off.

It is never a good idea to use the same password login on multiple sites. Sites vary massively in their ability to keep things securely.

At a minimum even on toy sites that insist you have a password include two random words and the year you first opened it in between. A random capitalisation (not the first letters) makes it a bit more secure and an unusual character also helps. Beware when they "upgrade" software I have had my choice of unusual password character declared illegal once.

Noddy sites get fairly weak passwords. Banks get high entropy rule based passwords that even someone who has seen it written down will not be able to remember unless they know the generating rule.

Well if you aren't using whole disk encryption ...

I don't, and I'm not paranoid.

No much use without a working device to transfer the backup to for use.

Very true, whereas bits of paper with passwords would be enormously useful to anyone without a working computer.

and, you can write down the time on a piece of paper.

Good for you.

So as a matter of urgency you need to go and update passwords on *all* of the sites you are registered with, and make sure than the same credentials are never re-used.

Since when one a site is compromised, automated testing tools will enable the crooks to check those credentials against 100s of thousands of other web sites. So its a safe bet that all or most of your accounts associated with those credentials are now compromised.

Lots of possibilities. If you go enter the relevant email address here:

it will tell you which public database of hacked credentials it came from and may give some indication of the source.

You can also test individual passwords here:

Could be - it might be the site itself, or often its a weakness in a third party service that the company (and many others) use.

The Ticketmaster hack being a good example:

Also possible - or a sub contracting company, data processor, or even individual.

Also possible but probably less likely - if that were the case you would expect any interaction with a site that uses those credentials to have triggered the unexpected logins.

However, I would suggest a sweep with the malwarebytes.org scanner.

Nothing is 100% secure, but there is plenty you can do to limit the damage when something goes wrong.

A decent password ought not be "memorable". If you need it, go look at the written record of it (the plate on the back of the router if you like), or use the WPS button for creating new connections.

He probably won't be able to get a stock of new masks now :-)

I think you may have missed the point Tim was making. i.e. Just because you have a file of passwords recorded, it does not have to be obvious or even intelligible to to someone else if the details are obfuscated, or simply hidden in lots of other data.

Sorry, I must have been distracted by all the verbiage about scrotes, lone rangers and swag.

I prefer to hold the passwords in an encrypted form that can be cut and pasted when needed than in a disguised form on bits of paper that needs to be painstakingly typed in each time. Everyone makes their own choices of course.